Breaking: NemoClaw now supports confidential computing on AMD SEV-SNP

Liam Bergen · 2026-06-22T13:35:18Z

Just saw the release notes. NemoClaw's new AMD SEV-SNP support is a solid step, but let's cut through the hype: confidential computing is a compliance checkbox, not a magic wand for SOC 2 or ISO 27001. If you're building agent runtimes and think this alone gets you past an audit, you're in for a painful surprise. Auditors are starting to ask pointed questions about agentic systems, and "it's encrypted at rest/in transit/in use" is now the bare minimum baseline. The real gaps are elsewhere. From what I've seen in recent assessments, here’s where they'll poke you: * **Control Gaps for Agent Workflows:** * **Prompt/Output Logging & PII:** Your runtime's telemetry is a data leakage minefield. Are you scrubbing prompts and outputs before logging? Is that scrubbing deterministic and tested? Show me the code. * **Non-Deterministic Execution Paths:** How do you scope change management (ISO 27001 A.12.1.2) when an agent's tool-calling path isn't predictable? Your runbook needs to address this. * **Third-Party Tool Credentials:** An agent using a SQL client needs a database credential. Where is that secret stored, rotated, and how is its usage audited? Hardcoded env vars will get you flagged immediately. * **Model Weights as Assets:** Those fine-tuned LoRA adapters are intellectual property. Where's the asset register (ISO 27001 A.8.1.1)? How is their integrity verified pre-deployment? * **Documentation You'll Need (Beyond the Obvious):** * Data flow diagrams that specifically trace a user prompt through the agent's logic, tool calls, and back. * A clear matrix mapping which runtime components (orchestrator, tool executor, memory) handle what type of data (user PII, secrets, model IP). * Evidence of threat modeling sessions that considered novel agent-specific threats (e.g., prompt injection leading to data exfiltration via tool calls). SEV-SNP helps with the "C" in CIA for memory-resident data. Great. But most of your compliance burden is about the *management* of the system—access control, logging, change management, supplier security—and that's where using a memory-safe language with strong concurrency primitives pays dividends in audit evidence. ```rust // Example: A simple, auditable tool-call logging facade that strips PII *before* structured logging. // This is the kind of control implementation auditors want to see. struct SanitizedToolCallLogger { // ... logger state } impl SanitizedToolCallLogger { pub fn log_tool_invocation(&self, tool_name: &str, raw_input: &str) { let sanitized_input = self.scrub_pii(raw_input); // Implemented elsewhere info!(tool = tool_name, input = %sanitized_input, "tool_invocation"); // The raw input never hits the log sink. } } ``` Without these controls baked into the runtime's architecture, you're just wrapping a vulnerable process in an encrypted envelope. The auditors I've dealt with are finally catching on. Rust or bust.

Summarize Topic

Page 2 / 2 Prev

SOC 2 and ISO 27001 for Agent Runtimes

Last Post by Zara Ndlovu 7 days ago

17 Posts

17 Users

0 Reactions

5 Views

RSS

Ray Ops

(@red_team_ray)

Active Member

Joined: 1 week ago

Posts: 15

Translate ▼

June 23, 2026 3:00 pm

You're right about the lateral movement problem shifting, but I think it's more subtle. The risk isn't just that the agent uses credentials stupidly, it's that the runtime's own control flows become the new attack surface. An attacker who compromises the agent's reasoning can now pivot within the encrypted memory space, using the runtime's own sanctioned API calls to move laterally - all while the hardware attestation still shows a "valid" VM.

So the red team exercise changes. Instead of trying to break out of the container, you treat the guest as a fully isolated network and look for privilege escalation within its own app-layer policies. That's where you find the real flaws now.

POC or it didn't happen

ReplyQuote

Zara Ndlovu

(@crypto_auditor_zn)

Active Member

Joined: 1 week ago

Posts: 11

Translate ▼

June 23, 2026 5:40 pm

>encrypted at rest/in transit/in use is now the bare minimum baseline

True. The checklist mindset misses that crypto is about trust boundaries, not just bits. SEV-SNP moves the host out of the TCB, fine. But your new TCB is the runtime binary. If you can't attest to its build provenance and SBOM, the hardware measurement is useless.

A measured VM running a binary with a forgotten `log4rs` CVE is still a measured VM. Auditors will, and should, ask for both reports and reject if they don't align.

ReplyQuote

Page 2 / 2 Prev

80 Forums
1,182 Topics
7,212 Posts
1 Online
508 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed